Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: update tproxy iptables to v0.2.2 #4328

Merged
merged 2 commits into from
May 23, 2022
Merged

feat: update tproxy iptables to v0.2.2 #4328

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
579ebb4
feat: update tproxy iptables to v0.2.1
bartsmykla May 23, 2022
11fc569
chore: update tproxy to v0.22.2
bartsmykla May 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion .golangci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,11 @@ linters-settings:
disabled-checks:
- singleCaseSwitch
gci:
local-prefixes: github.com/kumahq/kuma
sections:
- standard
- default
- prefix(github.com/kumahq/kuma-net)
- prefix(github.com/kumahq/kuma)
importas:
alias:
- pkg: github.com/kumahq/kuma/pkg/core/resources/apis/mesh
Expand Down
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ require (
github.com/gruntwork-io/terratest v0.40.8
github.com/hoisie/mustache v0.0.0-20160804235033-6375acf62c69
github.com/kelseyhightower/envconfig v1.4.0
github.com/kumahq/kuma-net v0.1.3
github.com/kumahq/kuma-net v0.2.2
github.com/kumahq/protoc-gen-kumadoc v0.2.0
github.com/lib/pq v1.10.6
github.com/miekg/dns v1.1.49
Expand Down
6 changes: 4 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -971,8 +971,10 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/ktrysmt/go-bitbucket v0.6.4/go.mod h1:9u0v3hsd2rqCHRIpbir1oP7F58uo5dq19sBYvuMoyQ4=
github.com/kumahq/go-control-plane v0.9.10-0.20211022075049-d35edcf0813a h1:RtOjGzZDv0JDtpWthWmxDHXhZRnJBaeIoIHcQrigWdE=
github.com/kumahq/go-control-plane v0.9.10-0.20211022075049-d35edcf0813a/go.mod h1:utjuSZ1DPHuYf0cTZ8WEsaQf5bwmT1TZiWaQjpJtBF0=
github.com/kumahq/kuma-net v0.1.3 h1:ZMvPuOf6V6q0dTTz55jpNIF9Py4RvP8Z4U/owg4+xy4=
github.com/kumahq/kuma-net v0.1.3/go.mod h1:s/78MDdwEnFwTYCcwguYa4EosjGkBouVIPJM79jvync=
github.com/kumahq/kuma-net v0.2.1 h1:tzubnThQQLGvUvgnc62oNpkzR7ewLWWqRrI0fssdnZw=
github.com/kumahq/kuma-net v0.2.1/go.mod h1:dUqPEm6BP7TqQvaqYDXnwITekoxdtmXTd6UXVlq3n9w=
github.com/kumahq/kuma-net v0.2.2 h1:crfuCBbfqFcTnXuiz4QMsuD6aNZ8JLVeYR+MlvEj7+Y=
github.com/kumahq/kuma-net v0.2.2/go.mod h1:dUqPEm6BP7TqQvaqYDXnwITekoxdtmXTd6UXVlq3n9w=
github.com/kumahq/protoc-gen-kumadoc v0.2.0 h1:3P1PZyw/tI1TYL6QmaePuLqGuarhYkL9ZxjN2yPTLXY=
github.com/kumahq/protoc-gen-kumadoc v0.2.0/go.mod h1:F+c9RjgKlv1Q3UEoPJCtMJw8Fd+X5PfG5jlkTSfZOMA=
github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o=
Expand Down
84 changes: 67 additions & 17 deletions pkg/transparentproxy/transparentproxy_experimental.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,18 @@
package transparentproxy

import (
"net"
"os/exec"
"strconv"
"strings"

"github.com/pkg/errors"

"github.com/kumahq/kuma-net/iptables/builder"
kumanet_config "github.com/kumahq/kuma-net/iptables/config"

"github.com/kumahq/kuma/pkg/transparentproxy/config"
"github.com/kumahq/kuma/pkg/transparentproxy/istio/tools/istio-iptables/pkg/constants"
)

var _ TransparentProxy = &ExperimentalTransparentProxy{}
Expand All @@ -30,6 +34,39 @@ func splitPorts(ports string) ([]uint16, error) {
return result, nil
}

func hasLocalIPv6() (bool, error) {
bartsmykla marked this conversation as resolved.
Show resolved Hide resolved
addrs, err := net.InterfaceAddrs()
if err != nil {
return false, err
}

for _, a := range addrs {
if ipnet, ok := a.(*net.IPNet); ok &&
!ipnet.IP.IsLoopback() &&
ipnet.IP.To4() == nil {
return true, nil
}
}

return false, nil
}

func shouldEnableIPv6() (bool, error) {
hasIPv6Address, err := hasLocalIPv6()
if !hasIPv6Address || err != nil {
return false, err
}

// We are executing this command to work around the problem with COS_CONTAINERD
// image which is being used on GKE nodes. This image is missing "ip6tables_nat"
// kernel module which is adding `nat` table, so we are checking if this table
// exists and if so, we are assuming we can safely proceed with ip6tables
// ref. https://github.com/kumahq/kuma/issues/2046
err = exec.Command(constants.IP6TABLES, "-t", constants.NAT, "-L").Run()

return err == nil, nil
}

func (tp *ExperimentalTransparentProxy) Setup(tpConfig *config.TransparentProxyConfig) (string, error) {
redirectInboundPort, err := strconv.ParseUint(tpConfig.RedirectPortInBound, 10, 16)
if err != nil {
Expand All @@ -40,6 +77,19 @@ func (tp *ExperimentalTransparentProxy) Setup(tpConfig *config.TransparentProxyC
)
}

var redirectInboundPortIPv6 uint64

if tpConfig.RedirectPortInBoundV6 != "" {
redirectInboundPortIPv6, err = strconv.ParseUint(tpConfig.RedirectPortInBoundV6, 10, 16)
if err != nil {
return "", errors.Wrapf(
err,
"inbound redirect port IPv6 (%s), is not valid uint16",
tpConfig.RedirectPortInBound,
)
}
}

redirectOutboundPort, err := strconv.ParseUint(tpConfig.RedirectPortOutBound, 10, 16)
if err != nil {
return "", errors.Wrapf(
Expand Down Expand Up @@ -74,38 +124,38 @@ func (tp *ExperimentalTransparentProxy) Setup(tpConfig *config.TransparentProxyC
}
}

defaultConfig := kumanet_config.DefaultConfig()
ipv6, err := shouldEnableIPv6()
if err != nil {
return "", errors.Wrap(err, "cannot verify if IPv6 should be enabled")
}

cfg := &kumanet_config.Config{
Owner: &kumanet_config.Owner{
cfg := kumanet_config.Config{
Owner: kumanet_config.Owner{
UID: tpConfig.UID,
GID: tpConfig.GID,
},
Redirect: &kumanet_config.Redirect{
Redirect: kumanet_config.Redirect{
NamePrefix: "KUMA_",
Inbound: &kumanet_config.TrafficFlow{
Port: uint16(redirectInboundPort),
Chain: defaultConfig.Redirect.Inbound.Chain,
RedirectChain: defaultConfig.Redirect.Inbound.RedirectChain,
ExcludePorts: excludeInboundPorts,
Inbound: kumanet_config.TrafficFlow{
Port: uint16(redirectInboundPort),
PortIPv6: uint16(redirectInboundPortIPv6),
ExcludePorts: excludeInboundPorts,
},
Outbound: &kumanet_config.TrafficFlow{
Port: uint16(redirectOutboundPort),
Chain: defaultConfig.Redirect.Outbound.Chain,
RedirectChain: defaultConfig.Redirect.Outbound.RedirectChain,
ExcludePorts: excludeOutboundPorts,
Outbound: kumanet_config.TrafficFlow{
Port: uint16(redirectOutboundPort),
ExcludePorts: excludeOutboundPorts,
},
DNS: &kumanet_config.DNS{
DNS: kumanet_config.DNS{
Enabled: tpConfig.RedirectAllDNSTraffic,
Port: uint16(agentDNSListenerPort),
ConntrackZoneSplit: tpConfig.SkipDNSConntrackZoneSplit,
},
},
IPv6: ipv6,
Verbose: tpConfig.Verbose,
}

if tpConfig.DryRun {
return builder.BuildIPTables(cfg)
return builder.BuildIPTables(cfg, ipv6)
}

return builder.RestoreIPTables(cfg)
Expand Down